Method and apparatus for collaborative document control

ABSTRACT

A method and apparatus are disclosed for controlling collaborative access to a work group document by the users of a computer system. A combination of public-key cryptographic methods, symmetric cryptographic methods, and message digest generation methods are used. The document has a data portion and a prefix portion. A computer-implemented collaborative encryption method uses structures in the prefix portion to restrict access to the information stored in the data portion. Users who are currently members of a collaborative group can readily access the information, while users who are not currently members of the group cannot. Other structures in the prefix portion support collaborative signatures, such that members of the group can digitally sign a particular version of the data portion. These collaborative signatures can then be used to identify the signing member and to determine if changes in the data portion were made after the collaborative signature was linked to the document.

FIELD OF THE INVENTION

The present invention relates to a computer-implemented method andapparatus for controlling a work group document, and more particularlyto methods which allow each member of a specified group to encryptand/or decrypt a document or to digitally sign and/or authenticate thedocument by using a key that is unique to the member in question, and tomethods which prevent access to the document by persons who are notcurrently members of the group.

TECHNICAL BACKGROUND OF THE INVENTION

People often work in teams or groups to solve a problem or to create aproduct. Work groups are common in corporate departments ranging fromresearch and development to customer support. Groups work best when thecontributions of each group member are encouraged, reviewed, andimproved by other members through an exchange of views and experiences.In many cases, these contributions are captured in "work groupdocuments," namely, documents that are created and/or maintained by thework group.

The interplay between group members can make the documents produced andmaintained by the group superior to documents that are producedindividually. For instance, a product design document produced by anengineer, a marketer, and a user working together is more likely to leadto a successful product than a design document produced by any one ofthose individuals working alone.

Moreover, some documents can be more efficiently maintained by a groupthan by any given individual. For instance, in some cases statistics onnationwide efforts would be maintained more efficiently by designatingone knowledgeable person in each regional office to regularly update anetworked spreadsheet than by sending copies of raw data to a centrallocation for entry by someone who is unlikely to detect errors.

Although word processor documents and spreadsheets are perhaps the mostcommon examples of work group documents, they are by no means the onlyexamples. Work group documents may contain any combination of text,numbers, computer program source code, computer hardware schematics orlayouts, database records, digitized audio, digitized video, digitizedvisual images, or other digital information. Work group documents willoften be stored on magnetic or optical disks, but they may be stored inany medium capable of retaining digital information.

It is often desirable to give the members of a work group specialresponsibility and authority regarding the documents associated with thework group. In particular, various attempts have been made to imposesecrecy controls on work group documents. Secrecy controls attempt toallow members of the work group to review and edit the document whilepreventing such access by others.

One approach to secrecy requires the presence of special-purpose controlhardware before access to the work group document is allowed. Somesystems deny access unless a user logs onto a designated workstation orterminal that is protected by physical security measures such as lockeddoors, alarm systems, and patrolling guards. Some systems also embedverification hardware in the designated workstation. Other systems allowaccess through regular workstations but require that the user physicallyconnect a specific hardware circuit to the workstation's serial orparallel port before access is granted. Still other systems grant accessonly after verifying the user's identity by scanning an identity card orother distinguishing physical feature of the user.

Approaches that require the presence of special-purpose control hardwaremay provide a very high level of security. However, reliance onspecial-purpose control hardware to maintain secrecy also hassignificant drawbacks. A substantial lead time is often needed tomanufacture or modify the necessary control hardware. Each piece ofcontrol hardware is often customized, which also adds to the overallcost of the system.

In addition, the control hardware is typically prepared by one or morepeople outside the desired work group, such as hardware technicians.This has the drawback that document access is not limited to thosepeople who are expected to contribute directly to the document. Relyingon people who contribute to the control hardware but not to the documentdecreases the security of the document and increases the complexity andcost of administering the secrecy controls.

Approaches that rely on use of a specific terminal or workstation arealso undesirable for users that work more efficiently when they can logonto a network from any of several locations. For instance, users mayhave workstations located at home, in the field, in their own office,and in colleagues'offices. Requiring the user to travel to the specifiedterminal when another terminal is already available nearby reducesproductivity and stunts creativity.

Other approaches to secrecy place an "active filter" between thecomputer system users and the computer system storage media that holdthe work group documents. The active filter attempts to intercept everyaccess to the storage media and to filter out unauthorized attempts. Thefilter receives a user's request to access information, compares therequest with the user's access rights or capabilities, and then grantsor denies the request accordingly.

Active filters may include trusted personnel, trusted software, or both.Trusted personnel may include system administrators and/or systemoperators. Trusted software may include secure operating system softwareand/or secure file system software.

Active filters have certain advantages. Unlike controls that rely onspecial-purpose hardware, active filters allow users to utilize anyavailable terminal or workstation. Because they constantly monitor thesystem, system administrators and system operators may also detectattempted security breaches quickly enough to prevent them entirely orto limit their scope.

However, such reliance on system administrators and system operators forsecrecy poses substantial risk. Like the reliance on hardwaretechnicians in approaches based on special-purpose control hardware, theuse of system personnel as filters makes secret documents accessible topeople who would not otherwise have access to them. In effect, thesystem administrators and system operators become members of every workgroup. A security breach by a system administrator or a system operatormay compromise the secrecy of every document in the system, not just thesecrecy of a particular document or the secrecy of documents in aparticular work group.

Reliance on secure operating system software or secure file systemsoftware also has disadvantages. The software merely controls access tothe storage medium that holds the document. The document may thereforebe accessed by using unauthorized low-level software that bypasses theoperating system and file system software and accesses the storagemedium directly. Many programmers have the skill to create suchlow-level software if standard, commercially available file systemsoftware and computer hardware are used.

Moreover, many existing computer systems do not presently utilize secureoperating system or file system software capable of acting as an activefilter. Switching existing systems over to such software would beextremely time-consuming, expensive, and difficult.

Another approach to secrecy provides each member of the work group witha "capability," which is an unforgeable ticket identifying the documentand providing certain access rights to the document. Capabilities can begenerated only by the system and cannot be copied. When a user presentsthe system with an appropriate capability, the system provides the userwith the specified access to the document identified in the capability.

Although they have been used in some computer systems, capabilities havesubstantial drawbacks. They rely on trusted system operators and/ortrusted operating system software, so they have the disadvantages ofactive filters described above.

The "access control list" is perhaps the most widely used form ofsecrecy control. Different computer systems configure access controllists differently, but in general system users are assigned to one ormore groups by a system administrator and a list which matches groupswith access rights is associated with documents in the computer system.

For instance, if a user belongs to a group specified in the accesscontrol list of a given document as having read and write access to thedocument, then the user will be given read and write access to thedocument by the computer system. If the user belongs to a groupspecified in the access control list of the document as having readaccess only, then the system will give the user read access but willdeny write access to the document in question. In addition to theability to limit reads and writes, access control lists may also controlother rights, including the right to execute a file and the right tomodify the access control list for a file.

Although they are widely used, access control lists have substantialdrawbacks as tools for controlling the secrecy of work group documents.Access control lists rely both on a trusted system administrator and ontrusted file system software to control access, so they have thedisadvantages of active filters described above. A breach of security bythe system administrator makes all documents vulnerable, and therestraints imposed by the operating system or file system software canbe avoided by knowledgeable programmers.

Moreover, some computer systems, including some networks, maintain theaccess control lists in a single central location. Centralization makesmanagement of the lists easier but also leaves the entire systemvulnerable to failures at that central location. If the access controllists become unavailable because of a software or hardware problem, thenall users (except perhaps the system administrator) are shut out of allprotected work group documents until the problem is fixed.

Some computer systems use a combination of physical security,special-purpose control hardware, trusted system personnel, trustedsystem software, access control lists, and capabilities to restrictaccess to files of all types, including work group documents. However,these combinations include not only the respective advantages but alsothe respective drawbacks of their various components.

As a result, some work groups encrypt their documents. Encryption hasseveral advantages over the other approaches to secrecy described above.A document which is encrypted with a "key" can be decrypted only withthat key. The key is typically a sequence of letters and/or numberssimilar to a password or an account number. In its encrypted form, thedocument cannot be understood. That is, access to the document'sencrypted contents does not provide access to the information kept inthe document. If the key is known only to members of the work group,then the information in the document is not available to an unauthorizedhardware technician, system administrator, programmer, or any otherperson who does not know the key.

In addition, secure encryption and decryption can be performed bygeneral-purpose computer hardware, so group members are not limited to aspecific workstation or terminal. The higher costs and delays associatedwith special-purpose control hardware can also be avoided.

Nonetheless, existing encryption approaches do have certain limitations.Many approaches use encryption methods that are not secure or methodsthat are impractical. In addition, some approaches impose severe limitson changes in group membership.

Encryption methods may be insecure or impractical for various reasons.Some methods, such as simple substitution ciphers, can be rapidlycryptanalyzed by anyone with a desktop computer and a basic knowledge ofcryptography. Other encryption methods require deeper knowledge and/orthe application of significant computing resources such as asupercomputer or a network, but will also yield their secrets after somehours or days of effort.

The security of some encryption methods depends heavily on the steps ofthe method being kept secret. However, most such "hidden" methods arevulnerable to the efforts of experienced cryptanalysts even if thehidden steps are initially unknown. Hidden methods that work reasonablywell are also difficult to generate, making it impractical to rely onhidden methods in situations where dozens or hundreds of different workgroups must operate side-by-side using the same computing system. Thereare simply not enough working hidden methods to assign a differentmethod to each work group.

In addition, it is not unusual for a work group to change size andmembership over time, with some people being added and some beingremoved from membership. Relying on hidden encryption methods forsecrecy makes it difficult to revoke the access powers of people wholeave the group. As people leave they will carry their knowledge of thehidden method with them, thereby compromising the security of thegroup's documents.

Perhaps the most widely known secure encryption method is the DigitalEncryption Standard ("DES"), also known as the Digital EncryptionAlgorithm ("DEA"). This encryption method is discussed in one of theleading reference works on encryption, Applied Cryptography by BruceSchneier, ISBN 0-471-59756-2, John Wiley & Sons 1994 ("Schneier"). DESdoes not rely heavily on hidden method steps. Instead, DES relies on theextreme computational effort required to decrypt an encrypted documentwithout knowing the key. Individual DES keys are easy to generate, and alarge number of different keys can be generated, so DES can be usedeffectively even if many work groups share a computer system.

However, simply encrypting a work group document with DES does have thedrawback that the key used to encrypt the document must be known to allmembers of the work group to allow them to decrypt and work on thedocument. When people leave the group it is therefore difficult torevoke their access powers because they carry their knowledge of thegroup's DES key(s) with them.

In theory, each key known to the leaving person could be renderedharmless by decrypting all of the group's documents that are presentlyencrypted with that "old" key and then re-encrypting those documentsusing one or more "new" keys that are known only to the remaining groupmembers. But in practice such decryption and re-encryption would oftenbe an expensive and time-consuming process. In addition, the "new" keymust be distributed to all members of the working group. Keydistribution methods are favored targets in attempts to breach thesecurity of cryptographic methods. The difficulty of revoking accesspowers thus forces a choice between living with reduced security andseverely limiting changes in group membership.

Thus, it would be an advancement in the art to provide a novel methodand apparatus for controlling work group documents.

It would be an additional advancement to provide such a method andapparatus which do not require special-purpose work-stations orterminals.

It would also be an advancement to provide such a method and apparatuswhich limit access to work group documents to those people who areexpected to contribute directly to the document.

It would be a further advancement to provide such a method and apparatuswhich operate effectively with existing computer operating system andfile system software.

It would also be an advancement to provide such a method and apparatuswhich do not require a single centralized access control mechanism.

It would be a further advancement in the art to provide such a methodand apparatus which employ encryption so that access to a document'scontents does not provide access to the information within the document.

It would also be an advancement to provide such a method and apparatusin which the security of the encryption method used need not depend onthe steps of the method being kept secret, but may arise instead fromthe enormous computational effort required to decrypt an encrypteddocument without the key.

It would be an additional advancement to provide such a method andapparatus with which access powers are readily revoked when people leavethe work group, even though the work group documents are notre-encrypted with a new key and even though the people leaving the groupretain their knowledge of the key(s) they used.

It would also be an advancement to provide such a method and apparatuswhich permit any given member of the work group to independentlyre-encrypt the document with a different key in order to foilunauthorized decryption attempts, without preventing authorized accessto the document.

It would be a further advancement to provide such a method and apparatuswhich permit such independent re-encryptions without requiring the givenmember to distribute the new key to the other members of the work group.

It would be an additional advancement to provide such a method andapparatus which permit any given member of the work group toindependently change the cryptographic method used for key generation inorder to foil unauthorized decryption attempts, without preventingauthorized access to the document.

Such a method and apparatus for collaborative document control aredisclosed and claimed herein.

BRIEF SUMMARY OF THE INVENTION

The present invention provides a method for controlling collaborativeaccess to a work group document by the users of a computer system. Asconfigured according to the invention, the document has a data portionand a prefix portion. The invention provides a computer-implementedcollaborative encryption method which uses structures in the prefixportion to restrict access to the information stored in the dataportion. Users who are currently members of a collaborative group canreadily access the information, while users who are not currentlymembers of the group cannot.

Other structures in the prefix portion support collaborative signatures,such that members of the group can digitally sign a particular versionof the data portion. These collaborative signatures can then be used toadvantage in ways similar to conventional individual digital signatures.For instance, the collaborative signatures can be used to identify thesigning member and to determine whether any changes were made in thedata portion after the collaborative signature was linked to thedocument.

An important aspect of these prefix structures is their use ofpublic-key cryptographic methods in combination with other methods. Thepresent invention uses public-key cryptographic methods in a specificcombination with symmetric cryptographic methods to control decryptionof the data portion. The present invention likewise uses public-keycryptographic methods in a specific combination with message digestgeneration methods to control attribution of particular versions of thedata portion.

Unlike conventional security methods, the present invention preventsaccess to the information rather than merely preventing access to themedium that holds the information. The present invention also readilyprevents unauthorized access by users whose access rights have beenrevoked.

The present invention also covers related devices and articles forcollaborative document control. The features and advantages of thepresent invention will become more fully apparent through the followingdescription and appended claims taken in conjunction with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

To illustrate the manner in which the advantages and features of theinvention are obtained, a more particular description of the inventionsummarized above will be rendered by reference to the appended drawings.Understanding that these drawings only provide selected embodiments ofthe invention and are not therefore to be considered limiting of itsscope, the invention will be described and explained with additionalspecificity and detail through the use of the accompanying drawings inwhich:

FIG. 1 is a schematic illustration of a computer network suitable foruse with the present invention.

FIG. 2 is a diagram illustrating relationships between a collaborativeaccess controller of the present invention and several components of acomputer system.

FIG. 3 is a diagram illustrating a network operating system suitable foruse with the present invention.

FIG. 4 is a diagram illustrating one embodiment of a work group documentaccording to the present invention.

FIG. 5 is a diagram further illustrating a member definition that islinked to the document shown in FIG. 4.

FIG. 6 is a flowchart illustrating a method of the present invention forcollaboratively encrypting a document.

FIG. 7 is a flowchart illustrating a method of the present invention foradding a new member to a collaborative group.

FIG. 8 is a flowchart illustrating a method of the present invention forremoving a member from a collaborative group.

FIG. 9 is a flowchart illustrating a method of the present invention forrestricting access to a collaboratively encrypted document.

FIG. 10 is a flowchart illustrating a method of the present inventionfor collaboratively signing a document.

FIG. 11 is a flowchart illustrating a method of the present inventionfor authenticating a signature on a collaboratively signed document.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Reference is now made to the Figures wherein like parts are referred toby like numerals.

General System Environment

The present invention relates to a method and apparatus for controllingcollaborative access to a work group document by users of a computersystem. The computer system may be a computer network, a stand-alonesystem such as an individual workstation or laptop computer, or adisconnectable mobile computer.

One of the many computer networks suited for use with the presentinvention is indicated generally at 10 in FIG. 1. In one embodiment, thenetwork 10 includes Novell NetWare® network operating system software,version 4.x (NetWare is a registered trademark of Novell, Inc.). Inalternative embodiments, the network includes NetWare Connect Services,VINES, Windows NT, LAN Manager, or LANtastic network operating systemsoftware (VINES is a trademark of Banyan Systems; NT and LAN Manager aretrademarks of Microsoft Corporation; LANtastic is a trademark ofArtisoft). The network 10 may be connectable to other networks 11through a gateway or similar mechanism.

The network 10 includes several connected local networks 12. Each localnetwork 12 includes a file server 14 that is connected by signal lines16 to one or more clients 18. The clients 18 include personal computers20, laptops 22, and workstations 24. The signal lines 16 typicallyinclude twisted pair, coaxial, or optical fiber cables, but may alsoinclude transmission means such as telephone lines, satellites, andmicrowave relays.

In addition to the client computers 18, a printer 26 and an array ofdisks 28 are also attached to the network 10. Other components may alsobe connected to one or more of the computer systems 10, 18, 20, 22, 24.For example, the laptop 22 is connected to a removable PCMCIA card 30. Aremovable hardware token 32 (such as a "dongle") is connected to a portof one of the clients 18. Although particular individual and networkcomputer systems 10, 18, 20, 22, 24 are shown, those of skill in the artwill recognize that the present invention also works with a variety ofother computer systems.

The file servers 14 and the clients 18 are capable of using floppydrives, tape drives, optical drives or other means to read a storagemedium 34. A suitable storage medium 34 includes a magnetic, optical, orother computer-readable storage device having a specific physicalsubstrate configuration. Suitable storage devices include floppy disks,hard disks, tape, CD-ROMs, PROMs, RAM, and other computer system storagedevices. The substrate configuration represents data and instructionswhich cause the computer system to operate in a specific and predefinedmanner as described herein. Thus, the medium 34 tangibly embodies aprogram, functions, and/or instructions that are executable by the fileservers 14 and/or client computers 18 to perform collaborative documentcontrol steps of the present invention substantially as describedherein.

One embodiment of a computer system according to the present inventionis further illustrated in FIG. 2. Users of the computer system accessand manipulate information with the aid of a user interface 40. Suitableuser interfaces 40 include command line interpreters or shells such asthose used in the UNIX environment, as well as desktops such as theMicrosoft Windows 3.x or Windows 95 desktops (Microsoft, Windows, andWindows 95 are trademarks of Microsoft Corporation).

The user interface 40 is capable of launching one or more applicationprograms 42 which are tailored to solve particular problems ormanipulate particular types of data. An enormous variety of applicationprograms 42 are known in the art, including without limitation wordprocessors, spreadsheets, database managers, presentation managers, andprogram development tools. The application programs 42 may be configuredto run on a single processor, on a multiprocessor, or on a distributedsystem such as the computer network 10 (FIG. 1).

The application programs 42 interface with a collaborative accesscontroller 44 which performs access control steps in a manner describedherein. Those of skill in the art will appreciate that implementationsaccording to the present invention may place access controller 44routines in .DLL files, in .EXE files, in OLE objects, and in othersoftware components. The collaborative access controller 44 may bestored separately from the applications 42. Alternatively, some or allof the controller 44 may be linked into selected applications 42 atcompile-time or at run-time. Those of skill will also appreciate thatthe controller 44 may be implemented in software, in hardware, or in acombination of software and hardware.

The collaborative access controller 44 interfaces with an operatingsystem 46 which manages various resources of the computer system.Suitable operating systems 46 include those configured for stand-alonecomputer systems, such as the DOS, WINDOWS, WINDOWS 95, and MACINTOSHoperating systems, as well as those configured for networks, such as thenetwork operating systems identified above in connection with thenetwork 10 (FIG. 1). (WINDOWS and WINDOWS 95 are trademarks of MicrosoftCorporation; MACINTOSH is a registered trademark of Apple Computer,Inc.).

In some embodiments, the operating system 46 generates, maintains, andmanages a set of user identifiers 48 such as login names or accountnumbers. User identifiers such as the identifiers 48 are commonly usedto track resource use, to assist in verifying resource access rights,and to identify system users to one another. A login password is often,but not always, associated with each user identifier 48. Unlessotherwise indicated, as used herein "password" includes both passwordsand pass phrases.

Cryptographic Methods

In some embodiments, the operating system 46 also generates, maintains,and manages a set of keys 50. Some of the keys 50 are generated bysymmetric cryptographic methods while others are generated by public-keycryptographic methods. It is presently preferred to utilize encryptionmethods whose strength does not depend heavily on the steps of themethod being kept secret, but comes instead from the enormouscomputational effort required to decrypt an encrypted document withoutthe key. Unless otherwise indicated, as used herein "encryption"includes both initial encryption and subsequent re-encryption.

One suitable symmetric cryptographic method is defined by the DataEncryption Standard (DES) described in the following National Bureau ofStandards FIPS PUB publications which are incorporated herein byreference: 46, 74, 81, 112, and 113. DES and a variation known astriple-DES are described in pages 219-243 of Schneier, which areincorporated herein by reference. Other suitable symmetric cryptographicmethods include LOKI91 (see pages 255-56 of Schneier), Khufu (see U.S.Pat. No. 5,003,597 incorporated herein by reference), IDEA (see U.S.Pat. No. 5,214,703, incorporated herein by reference), and othersymmetric methods described in Schneier.

Suitable public-key cryptographic methods include the following: the RSAmethod described in U.S. Pat. No. 4,405,829; the Schnorr methoddescribed in U.S. Pat. No. 4,995,082; the Diffie-Hellman methoddescribed in U.S. Pat. No. 4,200,770; the ElGamal method described inpages 300-302 of Schneier; and the DSA method described in pages 304-314of Schneier. Each of these descriptions of a public-key cryptographicmethod is incorporated herein by reference. Other suitable public-keycryptographic methods are also known in the art, including withoutlimitation other methods described in Schneier. The cryptographicmethod(s) used may be implemented in software which executes on ageneral-purpose computer, in software which executes on aspecial-purpose computer, or in connection with the hardware token 32 orthe PCMCIA card 30.

Documents Generally

With continued reference to FIG. 2, the collaborative access controller44 also interfaces with a file system 52 which manages files containingdocuments 54 that are generated and manipulated using the computersystem. Although documents 54 are typically generated and manipulated byusers directly with one or more of the application programs 42, on somesystems documents may also be generated and manipulated at times withoutdirect user intervention. For instance, documents 54 may becollaboratively encrypted for use by a predetermined group of userswithout direct user intervention.

Those of skill will appreciate that a document 54 does not necessarilycorrespond to a file. Each document 54 maintained in the file system 52may in practice be stored in a portion of a file which holds otherdocuments 54, in a single file dedicated to the document 54 in question,or in a set of coordinated files.

Suitable file systems 52 include those configured for standalonecomputer systems, such as the various File Allocation Table file systemsused in connection with the DOS operating system and the HighPerformance File System used in connection with the OS/2 operatingsystem (OS/2 is a mark of International Business Machines Corporation).Suitable file systems 52 also include those configured for networks,such as the file systems used with the network operating systemsidentified above in connection with the network 10 (FIG. 1). The filesare stored in one or more files on a magnetic drive, optical drive, orother storage medium.

Those of skill in the art will appreciate that functions provided by theoperating system 46 in some embodiments are provided by thecollaborative access controller 44 or by individual application programs42 in other embodiments. Thus, the keys 50 and the identifiers 48 may begenerated, maintained, and managed by the operating system 46, by thecollaborative access controller 44, and/or by the individual applicationprograms 42.

Network Environment

FIG. 3 illustrates an embodiment of the present invention which utilizesa network operating system 60 as the operating system 46. In a presentlypreferred embodiment, the network operating system 60 comprises (a) theNovell NetWare® 4.x network operating system in combination with (b) anobject database system 62 that comprises Novell's NetWare DirectoryServices software (NDS) and (c) an authenticator 64 that restrictsaccess to the object database system 62. Suitable authenticators 64include those used in the NetWare, Windows NT, LAN Manager, and VINESnetwork operating systems.

The object database system 62 includes a schema 66 that defines avariety of objects 68, 70, 72, 74. More specifically, the schema 66shown defines user objects 68, group objects 70, organizational roleobjects 72 and key objects/attributes 74. In alternative embodiments,the schema 66 omits definitions of group objects 70 and/ororganizational role objects 72.

The schema 66 includes a set of "attribute syntax" definitions, a set of"attribute" definitions, and a set of "object class" (also known as"class") definitions. The NDS software and a default NDS schema 66 aredescribed in chapters 6 through 8 of NetWare 4 for Professionals byBierer et al. ("Bierer"). The terms "attribute" and "property" are usedinterchangeably in Bierer, as are the terms "attribute syntax" and"property syntax."

Each attribute syntax in the schema 66 is specified by an attributesyntax name and the kind and/or range of values that can be assigned toattributes of the given attribute syntax type. Attribute syntaxes thuscorrespond roughly to data types such as integer, float, string, orBoolean in conventional programming languages.

Each attribute in the schema 66 has certain information associated withit. Each attribute has an attribute name and an attribute syntax type.The attribute name identifies the attribute, while the attribute syntaxlimits the values that are assumed by the attribute. Each attribute mayalso have associated with it any or all of the following flags:Non-removable, Hidden, Public Read, Read Only, Single-Valued, Sized, andString. The general meanings of these flags are familiar to those ofskill in the art. If the Sized flag is set for a given attribute, thenupper and lower bounds (possibly including No Limit) are imposed onvalues currently held by that attribute.

Each object class in the schema 66 also has certain informationassociated with it. Each class has a name which identifies this class, aset of super classes that identifies the other classes from which thisclass inherits attributes, and a set of containment classes thatidentifies the classes permitted to contain instances of this class.Although the topics of class inheritance, containment, and instantiationare familiar to those of skill in the art, their use in connection withkey objects/attributes 74 according to the present invention is new.

Each object class also has a container flag and an effective flag. Thecontainer flag indicates whether the class is a container class, thatis, whether it is capable of containing instances of other classes. Theeffective flag indicates whether instances of the class can be defined.Non-effective classes are used only to define attributes that will beinherited by other classes, whereas effective classes are used to defineinheritable attributes, to define instances, or to define both.

In addition, each object class groups together certain attributes. Thenaming attributes of a class are those attributes that can be used toname instances of the class. The mandatory attributes of a class arethose attributes that must exist in each valid instance of the classand/or become mandatory attributes of classes which inherit from theclass. The optional attributes of a class are those attributes that may,but need not, exist in each valid instance of the class. Optionalattributes of a parent class become optional attributes of a child classwhich inherits from the parent class, unless the attributes aremandatory in some other parent class from which the child inherits, inwhich case they are also mandatory in the child.

An object is an instance of an object class. Different objects of thesame class have the same mandatory attributes but may have differentcurrent values in their corresponding mandatory attributes. Differentobjects of the same class may have different optional attributes, and/ordifferent current values in their corresponding optional attributes.

The NDS software includes an interface library which provides access tothe schema 66 and to the database in the system 62. The schema 66 is anAPI-extensible schema in that the attributes and object classes found inthe schema can be altered through an Application Programmers' Interface("API") without direct access to the source code that implements theschema 66. In some embodiments the interface library includes tables orcommands stored in a file which is read by the schema 66 during itsinitialization and when objects are created, thereby defining theavailable attributes and classes.

In addition or as an alternative, the interface library includes a setof routines that are available to other code to access and modify theschema 66. In one embodiment the interface library includes an API thatdefines an interface to an NWDSxxx() library which is commerciallyavailable from Novell, Inc. of Orem, Utah. The NWDSxxx() library is sonamed because the names of functions and data types defined in thelibrary typically begin with "NWDS," an acronym for "NetWare DirectoryServices."

The database in the system 62 is a "hierarchical" database because theobjects 68, 70, 72, 74 and their attributes in the database areconnected in a hierarchical tree structure. Objects in the tree that cancontain other objects are called "container objects" and must beinstances of a container object class.

With reference to FIGS. 1 and 3, the database in the system 62 is also a"synchronized-partition" database. The database is typically dividedinto two or more non-overlapping partitions. To improve the responsetime to database queries and to provide fault-tolerance, a replica ofeach partition is physically stored on one or more file servers 14 inthe network 10. The replicas of a given partition are regularly updatedby the directory services software through an automated synchronizationprocess, thereby reducing the differences between replicas caused byactivity on the network 10.

An NWAdmin snap-in module may be used to modify the directory servicesschema 66 to support key objects/attributes 74 according to the presentinvention. NWAdmin is a commercially available extendable tool used bynetwork administrators to manage objects and attributes in objectdatabases.

In some embodiments, key pairs 76 are stored in key objects 74. Inalternative embodiments, the key pairs 76 are stored in key attributes74 which are then associated with user objects 68, with group objects70, and/or with organizational role objects 72. Those of skill in theart will readily determine appropriate storage locations for the keypairs 76 in particular implementations of the present invention.

Each key pair 76 includes a public key 78 and a private key 80. The keys78, 80 in any given pair 76 correspond to one another in operation asdescribed herein. The public key 78 and the private key 80 are eachgenerated by a given public-key cryptographic method. Suitablepublic-key cryptographic methods include those disclosed herein andother methods familiar to those of skill in the art.

Collaborative Documents

FIG. 4 illustrates a work group document 90, also known as"collaborative document 90," which is configured according to thepresent invention. The work group document 90 includes a prefix portion92 and a data portion 94. The prefix portion 92 and the data portion 94are each capable of being stored in at least one file in the computersystem 10 (FIG. 1).

The term "prefix" does not limit the physical location of the prefixportion 92 of the document 90 but merely indicates a preferred locationin embodiments which store the entire document 90 in a single file. Thatis, the information kept in the prefix portion 92 is preferably placedat the front of the file to promote efficient access to the prefixinformation in such embodiments. However, the prefix portion 92 may alsobe located in a separate file, at a separate location within the samefile as the data portion 94, or even interleaved with parts of the dataportion 94.

With reference to FIGS. 4 and 5, the prefix portion 92 of the work groupdocument 90 includes at least one member definition 96. The memberdefinitions 96 may be located in the same file as the data portion 94 orin one or more separate files. As explained hereafter, the memberdefinitions 96 define a collaborative group of computer system userswhich have access to the data portion 94 of the work group document 90.

Each member definition 96 includes a member identifier 98. Suitablemember identifiers 98 include the user identifiers 48 (FIG. 2) used bythe operating system 46, as well as identifiers defined exclusively foruse in connection with work group document access according to thepresent invention. With reference to FIG. 3, one or more members of thecollaborative group may correspond to an individual user object 68, to agroup object 70, or to an organizational role object 72 that isrecognized by the network operating system 60.

Each member definition 96 also includes an encrypted document key 100.Suitable encrypted document keys 100 include keys which are firstgenerated by the symmetric or public-key cryptographic methodsidentified above and then encrypted by one of the public-keycryptographic methods.

The illustrated embodiment of the member definition 96 also includes anencrypted message digest 102. In a particular work group document 90,some of the member definitions may include an encrypted message digest102 while others do not. The encrypted message digest 102 will bepresent (absent) if the member in question has collaboratively signed(has not signed) the document 90, as explained below.

Access Control Methods

FIGS. 4-9 illustrate one method according to the present invention forcontrolling collaborative access to the work group document 90. Inparticular, the method includes computer-implemented steps forcollaboratively encrypting the document 90 (FIG. 6) and steps forrestricting access to the data portion 94 of the collaborativelyencrypted document (FIG. 9).

FIGS. 2-6 illustrate one method according to the present invention forcollaboratively encrypting an arbitrary document 54 to produce a workgroup document 90. During a document-key-obtaining step 110, thecollaborative access controller 44 obtains a document key which will beused to encrypt the contents of the data portion 94 of the document 54during a subsequent encrypting step 112.

In one embodiment, the document key is one of the keys 50 that aregenerated by the operating system 46. In another embodiment, thedocument key is generated by the collaborative access controller 44directly. In either case, the document key is preferably suitable foruse with a symmetric cryptographic method to encrypt the data portion 94of the document 54 during the encrypting step 112. Symmetric methods arepreferred in the step 112 for their speed and their use of a single keyrather than a key pair. However, in alternative embodiments the documentkey is suitable for use with a public-key cryptographic method duringthe encrypting step 112. Suitable cryptographic methods include thoselisted above and other methods that are familiar in the art.

During an identifying step 114, a collaborative group is identified byidentifying one or more members of the group. Identification isaccomplished by obtaining user identifiers 48 through dialog boxes orother interactive user interfaces, by identifying a group object 70 orother group identifier that is known to the operating system 46, or byother identification means familiar to those of skill in the art. In oneembodiment, a default mechanism is employed whereby the user presentlydirecting the collaborative access controller 44 is automaticallyidentified as a member of the collaborative group.

During a member-key-obtaining step 116, the collaborative accesscontroller 44 obtains one public key 78 for each collaborative groupmember. In some embodiments, the step 116 includes accessing thedatabase system 62. In one of these embodiments, the collaborativeaccess controller 44 submits one or more requests for public keys 78 tothe authenticator 64, and the public keys 78 are supplied only after therequests are validated. Validation uses familiar techniques to verifythat the source of the access request has sufficient access rights.

In another embodiment, the collaborative access controller 44 makesrequests for public keys 78 directly to the object database system 62without going through the authenticator 64. In alternative embodiments,the public key 78 is obtained from the operating system 46, the hardwaretoken 32 (FIG. 1), or the PCMCIA card 30 without accessing the databasesystem 62. Similar steps are employed to obtain private keys 80 duringother steps described hereafter.

In a different embodiment, the public key 78 includes a certificatewhich can be used to validate the key 78. Version 1 certificates aredescribed at page 426 of Schneier, which is incorporated herein byreference. Version 2 and version 3 certificates are also known in theart.

During a building step 118, the collaborative access controller 44builds a member definition 96 for each member of the collaborativegroup. The components of each member definition 96 (illustrated in FIG.5) are formed as follows. The member identifier 98 comprises the useridentifier 48 which identifies the member to the operating system 46.The member identifier 98 optionally includes additional informationwhich is either provided by the user during the identifying step 114 orextracted from the appropriate user object 68, such as the user's fullname, telephone number, e-mail address, or department name.

The encrypted document key 100 is formed by encrypting the document keyobtained during the step 110 with the public key of the member inquestion., which was obtained during the step 116. Note that theunderlying document key is the same for each member of the collaborativegroup, but the encrypted form 100 of the document key is unique to eachmember. Those of skill in the art will appreciate. that the encrypteddocument key 100 can be decrypted only by using the private key 80 thatcorresponds to the public key 78 used to encrypt the document-key.

They will also appreciate that the present invention is not hampered byhuman interface factors which tend to make short document keyspreferable. Because the document key of the present invention isgenerated and manipulated by an implementing program, the key may bearbitrarily long and random in nature, and thus much less vulnerable toattacks based on short document key lengths.

As noted, the member definition 96 includes the encrypted message digest102 if the member in question has collaboratively signed the document90. As explained in greater detail below in connection with FIG. 10, theencrypted message digest 102 is formed by generating a message digestbased on the current contents of the data portion 94 of the document 90and then encrypting that message digest with the private key 80 of themember who is signing the document 90. The message digest is also knownas a "hash value."

The one or more member definitions 96 that were built during the step118 are linked during a linking step 120. The member definitions 96 arelinked with any pre-existing prefix portion 92 of the document 54 (thatis, any prefix portion 92 which is separate from the member definitions96) and with the encrypted form of the data portion 94 of the document54, thereby transforming the document 54 into a work group document 90.

In one embodiment, linking is accomplished by storing the encrypted dataportion 94 and the prefix portion 92 (including one or more memberdefinitions 96) together in a file on a disk, tape, or otherconventional storage medium.

In another embodiment, linking comprises storing the encrypted dataportion 94 in one file and storing the prefix portion 92 (with memberdefinitions 96) in separate files which are associated with one another.The association is created by a file naming convention, by listing thefiles in a data structure kept in one of the files, by listing the filesin a data structure kept in the object database system 62, or by othermeans readily determined by those of skill in the art for associatingfiles.

FIGS. 2-5 and 7 illustrate a method according to the present inventionfor adding a new member to the collaborative group of an existingcollaborative document 90. During a verifying step 122, thecollaborative access controller 44 verifies that the user requesting theaddition of the new member is authorized to add new members. It ispresently preferred that any current member of a collaborative grouphave authority to add or remove group members.

However, in one alternative embodiment, authorization to change groupmembership is granted only to the founding member who created thecollaborative document. In another alternative embodiment, only thefounding member is initially authorized to change group membership, butthe founding member may delegate that authority to one or more othergroup members. Those of skill in the art will readily determineappropriate changes to the member definitions 96 and to the methodsdescribed herein to implement these alternatives.

In the preferred embodiment, according to which any current member of acollaborative group has authority change the membership of the group,the verifying step 122 includes searching the member definitions 96 inthe prefix portion 92 of the work group document 90 in an attempt tolocate a member identifier 98 that corresponds to the user who isrequesting the change in group membership. If a corresponding memberidentifier 98 is found, the user is authorized to make the request.Otherwise, the user is not a member of the collaborative group and thusis not authorized to request changes in the membership of that group.

During an obtaining step 124, the collaborative access controller 44obtains the public key 78 which corresponds to the user being added tothe collaborative group. This is accomplished by any of the means andsteps discussed above in connection with the member-key-obtaining step116 (FIG. 6).

During a building step 126, a new member definition 96 is built. This isaccomplished generally as discussed above in connection with thebuilding step 118 (FIG. 6), with the following differences. The memberidentifier 98 of the new member definition 96 includes the useridentifier 48 which identifies the new member to the operating system46. The encrypted document key 100 is formed by obtaining the privatekey 80 of the member who authorized the addition in the step 122,decrypting that authorizing member's encrypted document key 100 toobtain the document key, and then encrypting the document key with thepublic key 78 of the new member. The new member definition 96 does notinitially include an encrypted message digest 102. The encrypted messagedigest 102 will be added subsequently if the new member collaborativelysigns the document 90.

During a linking step 128, the new member definition 96 is linked withthe work group document 90. This is accomplished by any of the means andsteps discussed above in connection with the linking step 120 (FIG. 6).

FIGS. 2-5 and 8 illustrate a method according to the present inventionfor removing a member from the collaborative group of an existing workgroup document 90. During an optional verifying step 140, thecollaborative access controller 44 verifies that the user requesting theremoval of the targeted member is authorized to remove members. Asdiscussed above in connection with FIG. 7, it is presently preferredthat any current member of a collaborative group have authority to addor remove group members, but alternative approaches to authorization arealso disclosed.

In the preferred embodiment, according to which any current member of acollaborative group has authority to change the membership of the group,the verifying step 140 includes searching the member definitions 96 inthe prefix portion 92 of the work group document 90 for a memberidentifier 98 that corresponds to the user who is requesting the changein group membership. If a corresponding member identifier 98 is found,the user is authorized to make the request. Otherwise, the user is not amember of the collaborative group and thus is not authorized to requestchanges in the membership of that group.

During a locating step 142, the collaborative access controller 44searches the member definitions 96 in the prefix portion 92 of the workgroup document 90 for a member identifier 98 that corresponds to thetargeted member. If a corresponding member identifier 98 is found, thetargeted member is removed by a deleting step 144. If the search fails,the targeted "member" is not a member of the collaborative group andthus no change is made to the membership of that group. The deletingstep 144 is accomplished by fully deleting the information in thetargeted member definition 96.

FIGS. 2-6 and 9 illustrate a method according to the present inventionfor restricting access to the information in the data portion 94 of thework group document 90 so that members of the collaborative group haveaccess and others do not. During a detecting step 150, the application42 detects that the document 54 to which access is requested is a workgroup document 90. This is accomplished by tailoring the application 42to recognize a flag in the document prefix 92, by a naming conventionexhibited in the name of the file that contains the data portion 94, orby other means readily determined by those of skill in the art.

Alternatively, the application 42 may not be capable of distinguishingwork group documents 90 from other documents 54. In this case, one oftwo events occurs. Either the application 42 fails to read the encrypteddata portion 94 and displays an error message, or the application 42reads the encrypted data portion 94 and displays encrypted data to theuser. In either case, the user then recognizes that the document 54 is awork group document 90 and invokes the controller 44 beginning at anobtaining step 152.

After it has been determined that the document 54 to which access isrequested is a work group document 90, the obtaining step 152 isperformed by the collaborative access controller 44. As with otherportions of the collaborative access controller 44, the portion whichperforms the obtaining step 152 may be embodied within the application52 or may be a separate module which is invoked by the application 52 orby the user. The obtaining step 152 comprises interactively asking theuser for its user identifier and a corresponding password. Inalternative embodiments, the user identifier identifies the current userand is obtained by querying the operating system 46 or the objectdatabase system 62; only the password is obtained interactively from theuser.

During a key-seeking step 154, the collaborative access controller 44attempts to use the information provided during the step 152 to obtainthe private key 80 of the identified user. This is accomplished by meansand steps discussed above in connection with the steps 116, 124. If theattempt fails, then the user identifier obtained during the step 152 isnot valid, or the password obtained is not valid for the identifieduser, or both of these conditions hold.

Accordingly, the collaborative access controller 44 performs a limitingstep 156 to limit access to the information in the data portion 94 ofthe work group document 90. In one embodiment, the limiting step merelydenies the user access by preventing decryption of the data portion 94.In other embodiments, decryption is prevented and additional steps aretaken as well. One embodiment logs information about the failed attempt,such as the time, workstation, collaborative document name, useridentifier, etc. Another embodiment uses e-mail, telephony, alarms, orother conventional means to notify security personnel of the failedattempt. A third embodiment both logs the information and notifiessecurity.

If the key-seeking step 154 succeeds, a member-seeking step 158 isperformed. The step 158 searches the member definitions 96 of thecollaborative document 90 in an attempt to locate a member identifier 98that corresponds to the user identifier obtained during the step 152.The search is accomplished substantially as described above inconnection with the steps 122, 140, 142. If the search fails, then theuser identifier does not identify a member of the collaborative groupand the limiting step 156 is performed.

If the search succeeds, a key-decrypting step 160 is performed. Theprivate key 80 obtained during the step 154 is used in a mannerdetermined by the public-key cryptographic method used in the step 118to decrypt the corresponding encrypted document key 100, therebyproviding a usable copy of the document key. Those of skill willappreciate that copies of keys should be kept only as long as necessary,and should be kept in secure locations. Thus, the decrypted copy of theprivate key 80 obtained during the step 154 is preferably scrambled,overwritten, or otherwise destroyed from memory as soon as a usable copyof the document key is obtained.

During a data-decrypting step 162, this copy of the document key is thenused in a manner determined by the symmetric or public-key cryptographicmethod used in the step 112 to decrypt the encrypted data portion 94 ofthe collaborative document 90, thereby providing the collaborative groupmember access to the information stored in the document 90.

In one embodiment, the copy of the document key used to decrypt the dataportion 94 is then promptly scrambled or otherwise invalidated toprevent its unauthorized use. However, in another embodiment the copy ismaintained intact in a secure location in case the member decides tomodify the copy of the data portion 94 which is kept on disk or in otherpermanent storage. After modifications to the data portion 94 are madeusing the application 42, the data portion is re-encrypted by repeatingthe step 112 and stored. The copy of the document key obtained duringthe step 160 is promptly scrambled or otherwise destroyed after the dataportion 94 is re-encrypted.

Alternatively, the key can be retrieved if needed. However, insituations which require high security, a new document key is preferablygenerated and the document 90 is re-encrypted with a new key after eachediting session.

Attribution Control Methods

FIGS. 2-6 and 10 illustrate a method according to the present inventionfor collaboratively signing a document 90. Collaborative signaturescontrol the attribution of a given version of the work group document 90to one or more members of the collaborative group.

During one embodiment of an identifying step 170, collaborative groupmembership is verified. The user who indicates a desire tocollaboratively sign the document 90 must be a member of thecollaborative group which is defined by the member definition(s) 96 thatare linked to the collaborative document 90. Accordingly, a search ismade of the member definitions 96, as in the steps 158, 142, 140, 122.If the search fails, a limiting step such as the step 156 may beperformed, or the collaborative access controller 44 may simply print amessage refusing the request to sign.

In an alternative embodiment, persons who are not members of thecollaborative group are allowed to sign and to authenticatecollaboratively encrypted documents. This is accomplished by omittingthe step 174 of FIG. 10 and the step 194 of FIG. 11.

If the search succeeds, a signing step 172 is performed. Those of skillin the art will appreciate that the signing step 172, like many othersteps of the present invention, may detect invalid user identifiers,keys, file names, or claims of group membership. The step 172 and theother steps described herein preferably react accordingly withinvitations to re-enter the requested information, with error messagesand early truncation of the step, or with limiting steps such as thestep 156.

Each collaborative signature depends both on which member signs and onthe contents of the data portion 94 at the time the member signed.Accordingly, a decrypting step 174 decrypts the data portion 94 if adecrypted and current copy of the data portion 94 is not alreadyavailable as a result of the step 162. The step 174 is accomplishedsubstantially in the manner described in connection with the step 162.

During a generating step 176, a message digest based on the decrypteddata portion 94 is generated. In an alternative embodiment, the messagedigest is based on both the decrypted data portion 94 and on a currenttimestamp.

Suitable methods for generating timestamps are well-known in the art.Suitable methods for generating message digests include the MD5 methodand the SHA method; descriptions of these methods based on Schneier areprovided below. Both the MD5 method and the SHA method are known in theart, but their use in combination with the present invention is new.Other familiar methods for generating message digests may also beemployed with the present invention.

The MD5 method proceeds generally as follows. The message text includesthe decrypted data portion 94 alone or that data plus a timestamp. Themessage text is padded so that its length is 64 bits short of somemultiple of 512. The padding includes a single one bit added to the endof the message, followed by as many zero bits as necessary. A 64-bitrepresentation of the length of the unpadded text is appended to thepadded text, thereby making the message length an exact multiple of 512bits in length.

Next, four 32-bit "chaining variables" are initialized as follows:##EQU1##

The method then performs the following steps once for each 512-bit blockin the message text. First, another variable AA receives a copy of thecurrent value of A, BB gets the current value of B, CC gets C, and DDgets D. Then four groups of 16 operations each are performed. Eachoperation performs a nonlinear function on three of A, B, C, and D, andthen adds that result to the fourth variable, to a sub-block of thetext, and to a constant. The operation then rotates that result to theright a variable number of bits and adds the result to one of A, B, C,and D. The final result overwrites a different one of A, B, C, and D.

There are four nonlinear functions, one for each group of operations:##EQU2##

These functions operate such that if the corresponding bits of X, Y, andZ are independent and unbiased, then each bit of the result of applyingthe function will also be independent and unbiased. Function F1 is thebit-wise conditional: If X then Y else Z. Function F3 is the bit-wiseparity operator.

Let M_(j) represent the jth sub-block of the message text, with jrunning from zero to 15, and let <<n represent a left shift of n bits.In step i, let t_(i) be the integer part of 4294967296×abs(sin (i)),where i is in radians. Note that 4294967296 is 2³². Then the fouroperations are: ##EQU3##

The first group of operations is then: ##EQU4##

The second group of operations is: ##EQU5##

The third group of operations is: ##EQU6##

The fourth group of operations is: ##EQU7##

After these four groups of operations are complete for a given 512-bitblock, AA gets AA plus A, BB get BB plus B, CC gets CC plus C, and DDgets DD plus D. The method then repeats the four groups of operationsand the updates for the next 512-bit block of data. The final output isthe concatenation of A, B, C, and D, which is the 128-bit messagedigest.

The SHA method proceeds as follows. First, the message text is padded sothat it is a multiple of 512 bits long. Padding is accomplished by thesame method described with MD5. Five 32-bit variables are initialized:##EQU8##

The method then begins processing the message text, one 512-bit block ata time. First the five variables are copied. AA get A, BB gets B, CCgets C, DD gets D, and EE gets E. Next, four groups of 20 steps eachperform nonlinear operations on three of A, B, C, and D. Then shiftingand adding are performed in manner similar to MD5.

SHA's nonlinear functions are as follows: ##EQU9##

Four constants are used: ##EQU10##

The message block is transformed from sixteen 32-bit words (M₀ to M₁₅)to eighty 32-bit words (W₀ to W₇₉) using the following steps:

W_(t) =M_(t) for t=0 to 15

W_(t) =W_(t-3) XOR W_(t-8) XOR W_(t-14) XOR W₁₋₁₆, for t=16 to 79

If t is the operation number (from 1 to 80), M_(j) represents the _(j)th sub-block of the message (from 0 to 15), and <<n represents a leftshift n bits, then the 80 operations look like: ##EQU11##

After this, A, B, C, D, and E are added to AA, BB, CC, DD, and EE,respectively, and the method continues with the next block of data. Thefinal output is the concatenation of A, B, C, D, and E.

With continued reference to FIGS. 2-6 and 10, after the message digestis generated a password is obtained during a pass-obtaining step 178.The step 178 is accomplished substantially in accordance with thedescription of the step 152 above. The identifier of the signing memberto whom the password corresponds is obtained substantially in accordancewith the step 152 above.

During a key-obtaining step 180, the password is then used to obtain theprivate key 80 of the member who is signing the collaborative document90. The step 180 is accomplished substantially in accordance with thedescription of the step 154 above.

Other Considerations

During an encrypting step 182, the private key 80 is then used toencrypt the message digest generated during the step 176. The encryptionis accomplished in a manner determined by the public-key cryptographicmethod used to generate the private key 80. The private key 80 ispromptly scrambled or otherwise invalidated after the digest isencrypted. The encrypted digest is copied to the encrypted messagedigest 100 in the member definition 96 whose member identifier 98identifies the signing member. Finally, during a linking step 184, theupdated member definition 96 is linked with the collaborative document90. In some embodiments, the previously linked member definition 96 (seesteps 120, 128) is updated in place and the step 184 is omitted.

Those of skill in the art will appreciate that the order of these stepsmay be varied. For instance, the pass-obtaining step 178 may beperformed prior to or as part of the identifying step 170. Likewise, thepass-obtaining step 178 or both the pass-obtaining step 178 and thekey-obtaining step 180 may precede the decrypting step 174 and/or thegenerating step 176. More generally, except in those cases in whichkeys, data, or other information produced in one step are utilized in asubsequent step, any of the steps of the methods described herein may beperformed in any order relative to one another.

Those of skill will appreciate that preferred embodiments of the presentinvention report errors and other conditions which interfere with theinvention as it assists users in controlling work group files. Suitableerror reporting and recovery means are readily determined by those ofskill in the art. Suitable techniques for diagnosing and debuggingimplementations of the present invention are likewise readily determinedby those of skill in the art.

With reference to all Figures, articles of manufacture within the scopeof the present invention include a computer-readable storage medium suchas the medium 34 in combination with the specific physical configurationof a substrate of the computer-readable storage medium. The substrateconfiguration represents data and instructions, including withoutlimitation the data structures and instructions illustrated anddiscussed in connection with the Figures, which cause one or moreprocessors in the network 10 or individual computers 18-24 to operate ina specific and predefined manner to collaboratively encrypt, decrypt,sign, and/or authenticate work group documents as described herein.Suitable storage devices include floppy disks, hard disks, tape,CD-ROMs, RAM, and other media readable by a computer. Each such mediumtangibly embodies a program, functions, and/or instructions that areexecutable by the processor to control collaborative documents accordingto the present invention substantially as described herein.

Summary

The present invention provides a novel method and apparatus forcontrolling work group documents. Although hardware tokens or PCMCIAcards may be used to generate or manage keys in connection with thepresent method, these devices are not required. Many embodiments of themethod will run on general-purpose workstations or terminals, and willoperate effectively with existing computer operating system, networkoperating system, and file system software.

Because the invention provides security through encryption and throughthe use of passwords that are each known only to an individual member ofthe collaborative group, the invention limits work group document accessto those people who are expected to contribute directly to the document.Unlike conventional approaches, security breaches by a hardwaretechnician or by system personnel are not substantial risks. Moreover,the risk of access by an unauthorized programmer is greatly reducedbecause access to a document's encrypted contents does not provideaccess to the information kept in the document.

A significant advantage of the present invention is the capability itprovides for individual members of a work group to substitute differentdocument keys and/or document key cryptographic methods for thosecurrently being used, without requiring coordination with other groupmembers or distribution of the new key.

Access powers are readily revoked when people leave the collaborativegroup, even though the work group documents are not re-encrypted with anew key and even though the people leaving the group retain theirknowledge of the key(s) they used. The keys known to the members aretheir individual public keys, which are disabled when the memberdefinition marks the member as removed or deleted. The document keys arenot known to the members, but only to the software which implements themethod.

Some embodiments of the present invention use NDS for public keymanagement. Some embodiments use a collaborative access controller thatis distributed throughout the applications. Each of these approacheshelps free the invention from reliance on a single centralized accesscontrol mechanism.

Although particular apparatus and article embodiments of the presentinvention are expressly illustrated and described herein, it will beappreciated that additional and alternative apparatus and articleembodiments may be formed according to methods of the present invention.Similarly, although particular method steps of the present invention areexpressly described, those of skill in the art may readily determineadditional and alternative steps in accordance with the apparatus andarticles of the present invention. Unless otherwise expressly indicated,the description herein of methods of the present invention thereforeextends to corresponding apparatus and articles, and the description ofapparatus and articles of the present invention extends likewise tocorresponding methods.

Section headings herein are for convenience only. The material under agiven section heading is not necessarily the only material herein onthat topic, nor is it necessarily limited only to material on thattopic.

The invention may be embodied in other specific forms without departingfrom its essential characteristics. The described embodiments are to beconsidered in all respects only as illustrative and not restrictive. Anyexplanations provided herein of the scientific principles employed inthe present invention are illustrative only. The scope of the inventionis, therefore, indicated by the appended claims rather than by theforegoing description. All changes which come within the meaning andrange of equivalency of the claims are to be embraced within theirscope.

What is claimed and desired to be secured by patent is:
 1. A method forcontrolling collaborative access to a work group document by users of acomputer system, the document having a data portion and a prefix portioneach portion capable of being stored in at least one file in thecomputer system, said method comprising the computer-implemented stepsof collaboratively encrypting the document and restricting access to thedata portion of the resulting collaboratively encrypted document.
 2. Amethod for controlling collaborative access to a work group document byusers of a computer system, the document having a data portion and aprefix portion, each portion capable of being stored in at least onefile in the computer system, said method comprising thecomputer-implemented steps of collaboratively encrypting the documentand restricting access to the data portion of the resultingcollaboratively encrypted document, wherein said step of collaborativelyencrypting the document comprises the steps of:encrypting at least aportion of the document using a document key; identifying acollaborative group which contains at least one member, each memberhaving a corresponding member identifier; obtaining a public key foreach member of the collaborative group, each public key having acorresponding private key, the public and private keys being generatedby a public-key cryptographic method; and linking each member identifierwith a corresponding encrypted copy of the document key and with thedocument, each encrypted copy of the document key being created by usingthe public key of the member identified by the member identifier.
 3. Themethod of claim 2, further comprising the step of adding a new member tothe collaborative group.
 4. The method of claim 2, further comprisingthe step of removing a member from the collaborative group.
 5. Themethod of claim 2, wherein said encrypting step is preceded by the stepof generating the document key.
 6. The method of claim 5, wherein saidgenerating step comprises generating a document key with a public-keycryptographic method.
 7. The method of claim 5, wherein said generatingstep comprises generating a document key with a symmetric cryptographicmethod.
 8. The method of claim 7, wherein the symmetric cryptographicmethod comprises a method selected from group consisting of the DESmethod, the triple-DES method, and the IDEA method.
 9. The method ofclaim 2, wherein said linking step comprises storing the memberidentifiers and the corresponding encrypted copies of the document keyin the same file as the data portion of the document.
 10. The method ofclaim 2, wherein said linking step comprises storing the memberidentifiers and the corresponding encrypted copies of the document keyin a location that is outside of any file that contains any part of thedata portion of the document.
 11. The method of claim 2, wherein atleast one member of the collaborative group corresponds to an individualuser object that is recognized by a network operating system.
 12. Themethod of claim 2, wherein at least one member of the collaborativegroup corresponds to an organizational role object that is recognized bya network operating system.
 13. The method of claim 2, wherein at leastone member of the collaborative group corresponds to a group object thatis recognized by a network operating system.
 14. The method of claim 2,wherein said step of obtaining a public key comprises accessing a PCMCIAcard.
 15. The method of claim 2, wherein said step of obtaining a publickey comprises accessing a database of public keys maintained on acomputer network.
 16. The method of claim 15, wherein said accessingstep comprises authenticating an access request by verifying that thesource of the access request has sufficient access rights.
 17. Themethod of claim 16, wherein said verifying step is performed by anetwork operating system selected from the group consisting of theNetWare network operating system, the NetWare Connect Services operatingsystem, the Windows NT network operating system, the LAN Manager networkoperating system, and the VINES network operating system.
 18. The methodof claim 15, wherein the database of public keys comprises ahierarchical synchronized-partition database maintained by a networkoperating system.
 19. The method of claim 18, wherein the databasecomprises a NetWare Directory Services database.
 20. The method of claim2, wherein said step of obtaining a public key comprises generating apublic key and generating a corresponding private key for at least onemember of the collaborative group after said identifying step.
 21. Themethod of claim 20, wherein the public-key cryptographic methodcomprises a method selected from the group consisting of the RSA method,the Schnorr method, the Diffie-Hellman method, the DSA method, and theElGamal method.
 22. A method for controlling collaborative access to awork group document by users of a computer system, the document having adata portion and a prefix portion, each portion capable of being storedin at least one file in the computer system, said method comprising thecomputer-implemented steps of collaboratively encrypting the documentand restricting access to the data portion of the resultingcollaboratively encrypted document, wherein said restricting stepcomprises the steps of:detecting that the document has beencollaboratively encrypted; obtaining a member identifier and acorresponding password from the user; and attempting to use the passwordto obtain the private key of the member identified by the memberidentifier.
 23. The method of claim 22, wherein said attempting stepcomprises accessing a hardware token connected to a computer in anattempt to obtain the private key.
 24. The method of claim 22, wherein aprivate key is obtained by using the password, and said method furthercomprises the step of attempting to locate an encrypted copy of thedocument key which corresponds to the member identifier and which islinked to the document.
 25. The method of claim 24, wherein such anencrypted copy of the document key is located, and said method furthercomprises the steps of decrypting the encrypted copy of the document keyby using the private key and then decrypting the document by using thedocument key.
 26. A method for controlling collaborative attribution ofa work group document to users of a computer system, the document havinga data portion capable of being stored in at least one file in thecomputer system, said method comprising the computer-implemented stepsof:identifying an authorized signer; and signing the document with acollaborative digital signature that is based at least in part on thedata portion of the document and a key of the authorized signer.
 27. Themethod of claim 26, wherein the authorized signer is a member of acollaborative group that was previously associated with the document,each member of the collaborative group having a pair of keys generatedby a public-key cryptographic method.
 28. The method of claim 26,further comprising the step of authenticating the collaborative digitalsignature.
 29. The method of claim 28, wherein said authenticating stepcomprises verifying that an authorized signer identifier correspondingto the authorized signer is linked with the document.
 30. The method ofclaim 29, wherein the authorized signer identifier is also linked withan encrypted copy of a document key that was used to encrypt the dataportion of the document.
 31. A method for controlling collaborativeattribution of a work group document to users of a computer system, thedocument having a data portion capable of being stored in at least onefile in the computer system, said method comprising thecomputer-implemented steps of identifying an authorized signer, andsigning the document with a collaborative digital signature that isbased at least in part on the data portion of the document and a key ofthe authorized signer, wherein said step of signing the documentcomprises the steps of:generating a message digest based on the currentcontents of the data portion of the document; obtaining a signeridentifier and a corresponding password from a user, the signeridentifier identifying a signer of the document; using the password toobtain a private key of the signer from a hierarchicalsynchronized-partition database maintained by a network operatingsystem, the private key and a corresponding public key being generatedby a public-key cryptographic method; encrypting the message digest withthe private key; and linking together the signer identifier, theencrypted copy of the message digest, and the document.
 32. The methodof claim 31, wherein said generating step is preceded by the step ofdecrypting the data portion of the document.
 33. The method of claim 31,wherein said generating step comprises the MD5 method of generating amessage digest.
 34. The method of claim 31, wherein said generating stepcomprises the SHA method of generating a message digest.
 35. The methodof claim 31, wherein said linking step comprises storing the signeridentifier and the corresponding encrypted copy of the message digest inthe same file as the data portion of the document.
 36. The method ofclaim 31, wherein said linking step comprises storing the signeridentifier and the corresponding encrypted copy of the message digest ina location that is outside of any file that contains any part of thedata portion of the document.
 37. The method of claim 31, wherein thepublic-key cryptographic method comprises the RSA method.
 38. The methodof claim 31, wherein the public-key cryptographic method comprises theDSA method.
 39. The method of claim 31, wherein the message digest isbased on the current contents of the data portion of the document and isalso based on a timestamp.
 40. The method of claim 28, wherein saidauthenticating step comprises the steps of:generating a first messagedigest based on the current contents of the data portion of thedocument; obtaining a signer identifier from a user; and attempting touse the signer identifier to obtain a corresponding public key from ahierarchical synchronized-partition database maintained by a networkoperating system, the public key and a corresponding private key beinggenerated by a public-key cryptographic method.
 41. The method of claim40, wherein a public key is obtained, and said method further comprisesthe step of attempting to locate an encrypted copy of a second messagedigest which is linked with the document and with the signer identifier.42. The method of claim 41, wherein such an encrypted copy of a secondmessage digest is located, and said method further comprises the stepsof:using the private key to decrypt the encrypted copy and therebyobtain a plaintext copy of the second message digest; and comparing thefirst message digest and the plaintext copy of the second message digestto identify equivalent portions therein.
 43. A computer-readable storagemedium having a configuration that represents data and instructionswhich cause a processor to perform at least one method step forcontrolling collaborative access to a work group document by users of acomputer system, the document having a data portion and a prefixportion, each portion capable of being stored in at least one file inthe computer system, the method comprising the computer-implemented stepof collaboratively encrypting the document.
 44. A computer-readablestorage medium having a configuration that represents data andinstructions which cause a processor to perform at least one method stepfor controlling collaborative access to a work group document by usersof a computer system, the document having a data portion and a prefixportion, each portion capable of being stored in at least one file inthe computer system, the method comprising the computer-implemented stepof collaboratively encrypting the document, wherein the step ofcollaboratively encrypting the document comprises the stepsof:encrypting a data portion of the document using a document key;identifying a collaborative group which contains at least one member,each member having a corresponding member identifier; obtaining a publickey for each member of the collaborative group, each public key having acorresponding private key, the public and private keys being generatedby a public-key cryptographic method; and linking each member identifierwith a corresponding encrypted copy of the document key and with thedocument, each encrypted copy of the document key being created by usingthe public key of the member identified by the member identifier. 45.The storage medium of claim 44, wherein the method further comprises thestep of adding a new member to the collaborative group.
 46. The storagemedium of claim 44, wherein the method further comprises the step ofremoving a member from the collaborative group.
 47. The storage mediumof claim 44, wherein the encrypting step is preceded by the step ofgenerating the document key.
 48. The storage medium of claim 44, whereinthe linking step comprises storing the member identifiers and thecorresponding encrypted copies of the document key in the same file asthe data portion of the document.
 49. The storage medium of claim 44,wherein at least one member of the collaborative group corresponds to anobject that is recognized by a network operating system.
 50. The storagemedium of claim 44, wherein the step of obtaining a public key comprisesaccessing a database of public keys maintained on a computer network.51. The storage medium of claim 50, wherein the database of public keyscomprises a hierarchical synchronized-partition database maintained by anetwork operating system.
 52. A computer-readable storage medium havinga configuration that represents data and instructions which cause aprocessor to perform at least one method step for controllingcollaborative access to a work group document by users of a computersystem, the document having a data portion capable of being stored in atleast one file in the computer system, the method comprising thecomputer-implemented step of collaboratively encrypting the document,wherein the method further comprises the step of restricting access tothe data portion of the resulting collaboratively encrypted document.53. The storage medium of claim 52, wherein the restricting stepcomprises the steps of:detecting that the document has beencollaboratively encrypted; obtaining a member identifier and acorresponding password from the user; and attempting to use the passwordto obtain the private key of the member identified by the memberidentifier.
 54. The storage medium of claim 53, wherein the attemptingstep comprises accessing a hardware token connected to a computer in anattempt to obtain the private key.
 55. The storage medium of claim 53,wherein a private key is obtained by using the password, and the methodfurther comprises the step of attempting to locate an encrypted copy ofthe document key which corresponds to the member identifier and which islinked to the document.
 56. The storage medium of claim 55, wherein suchan encrypted copy of the document key is located, and the method furthercomprises the steps of decrypting the encrypted copy of the document keyby using the private key and then decrypting the document by using thedocument key.
 57. A computer-readable storage medium having aconfiguration that represents data and instructions which cause aprocessor to perform at least one method step for controllingcollaborative attribution of a work group document to users of acomputer system, the document having a data portion capable of beingstored in at least one file in the computer system, the methodcomprising the computer-implemented steps of:identifying an authorizedsigner; and signing the document with a collaborative digital signaturethat is based at least in part on the data portion of the document and akey of the authorized signer.
 58. The storage medium of claim 57,wherein the authorized signer is a member of a collaborative group thatwas previously associated with the document, each member of thecollaborative group having a pair of keys generated by a public-keycryptographic method.
 59. The storage medium of claim 57, wherein themethod further comprises the step of authenticating the collaborativedigital signature.
 60. The storage medium of claim 59, wherein theauthenticating step comprises verifying that a member identifiercorresponding to the member is linked with the document.
 61. The storagemedium of claim 60, wherein the authorized signer identifier is alsolinked with an encrypted copy of a document key that was used to encryptthe data portion of the document.
 62. A computer-readable storage mediumhaving a configuration that represents data and instructions which causea processor to perform at least one method step for controllingcollaborative attribution of a work group document to users of acomputer system, the document having a data portion capable of beingstored in at least one file in the computer system, the methodcomprising the computer-implemented steps of identifying an authorizedsigner, and signing the document with a collaborative digital signaturethat is based at least in part on the data portion of the document and akey of the authorized signer, wherein the step of signing the documentcomprises the steps of:generating a message digest based on the currentcontents of the data portion of the document; obtaining a signeridentifier and a corresponding password from a user, the signeridentifier identifying a signer of the document; using the password toobtain a private key of the signer from a hierarchicalsynchronized-partition database maintained by a network operatingsystem, the private key and a corresponding public key being generatedby a public-key cryptographic method; encrypting the message digest withthe private key; and linking together the signer identifier, theencrypted copy of the message digest, and the document.
 63. The storagemedium of claim 62, wherein the generating step is preceded by the stepof decrypting the data portion of the document.
 64. The storage mediumof claim 62, wherein the generating step comprises a method ofgenerating a message digest selected from the group consisting of theMD5 method and the SHA method.
 65. The storage medium of claim 62,wherein the linking step comprises storing the signer identifier and thecorresponding encrypted copy of the message digest in the same file asthe data portion of the document.
 66. The storage medium of claim 62,wherein the public-key cryptographic method comprises a method selectedfrom the group consisting of the RSA method and the DSA method.
 67. Thestorage medium of claim 62, wherein the message digest is based on thecurrent contents of the data portion of the document and is also basedon a timestamp.
 68. The storage medium of claim 59, wherein theauthenticating step comprises the steps of:generating a first messagedigest based on the current contents of the data portion of thedocument; obtaining a signer identifier from a user; and attempting touse the signer identifier to obtain a corresponding public key from ahierarchical synchronized-partition database maintained by a networkoperating system, the public key and a corresponding private key beinggenerated by a public-key cryptographic method.
 69. The storage mediumof claim 68, wherein a public key is obtained, and the method furthercomprises the step of attempting to locate an encrypted copy of a secondmessage digest which is linked with the document and with the signeridentifier.
 70. The storage medium of claim 69, wherein such anencrypted copy of a second message digest is located, and the methodfurther comprises the steps of:using the private key to decrypt theencrypted copy and thereby obtain a plaintext copy of the second messagedigest; and comparing the first message digest and the plaintext copy ofthe second message digest to identify equivalent portions therein.